MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8770a893bc2ac58f0cdc6fc5c9b1499819215a26fbaf7b0915d3d75fefdae0dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8770a893bc2ac58f0cdc6fc5c9b1499819215a26fbaf7b0915d3d75fefdae0dc
SHA3-384 hash: 9021aae46c82e7a6b6576b2945446b7f2b8ec6a07decef17ed38a901abe5b3515fa9a2c27946225538b079379efa7267
SHA1 hash: 1b86871962f18400a86e5db8d944a52647ded6b3
MD5 hash: 91073c383c5828128cd16e14223fb59c
humanhash: bacon-stairway-illinois-five
File name:file
Download: download sample
Signature Amadey
Create hunting rule
File size:7'810'048 bytes
First seen:2023-08-31 19:04:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ee26deb5354c4489ff0dc7547168b2dc (3 x Amadey, 3 x RedLineStealer, 1 x PrivateLoader)
ssdeep 196608:7fX5m0N5j9Wj6J/C6tpMcB1c/Sm7hMm71csL:7g0NZ9WOw6tphm7h
TLSH T1927622D93700269CC41D8830C833ED5B7376981B6E9AA96773D77B8A3F76331A605B06
TrID 38.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.6% (.ICL) Windows Icons Library (generic) (2059/9)
15.4% (.EXE) OS/2 Executable (generic) (2029/13)
15.2% (.EXE) Generic Win/DOS Executable (2002/3)
15.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon e4aca098888cb898 (1 x Amadey)
Reporter andretavare5
Tags:Amadey exe


Avatar
andretavare5
Sample downloaded from https://colegiojuanbernardone.com/wp-includes/gate4_x64.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
322
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-08-31 19:07:30 UTC
Tags:
privateloader evasion opendir loader risepro stealer redline fabookie arkei vidar stealc amadey botnet trojan smoke miner tofsee
Link:
https://app.any.run/tasks/c8585c5a-1063-463e-9830-38533c5f9c88

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/445520/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Modifying a system file
Сreating synchronization primitives
DNS request
Replacing files
Sending a custom TCP request
Sending an HTTP GET request
Launching a service
Launching a process
Reading critical registry keys
Creating a file
Sending a UDP request
Forced system process termination
Searching for synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% subdirectories
Changing a file
Blocking the Windows Defender launch
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Adding exclusions to Windows Defender
Sending an HTTP GET request to an infection source
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin packed packed shell32
Link:
https://www.filescan.io/uploads/64f0e460d7ae0984750fe9c1/reports/d448398c-a529-4065-936c-2a6a5a8d9379/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/8770a893bc2ac58f0cdc6fc5c9b1499819215a26fbaf7b0915d3d75fefdae0dc
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c6622f62-f2d5-42bc-bb43-cc8f8fdf00ec
Result
Threat name:
Fabookie, PrivateLoader, RedLine, SmokeL
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1301250
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Multi AV Scanner detection for dropped file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Fabookie
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1301250 Sample: file.exe Startdate: 31/08/2023 Architecture: WINDOWS Score: 100 99 Found malware configuration 2->99 101 Malicious sample detected (through community Yara rule) 2->101 103 Antivirus detection for URL or domain 2->103 105 20 other signatures 2->105 8 file.exe 11 51 2->8         started        13 svchost.exe 2->13         started        15 svchost.exe 2->15         started        17 3 other processes 2->17 process3 dnsIp4 89 87.240.132.67 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 8->89 91 95.142.206.0 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 8->91 95 17 other IPs or domains 8->95 67 C:\Users\...\ywxh0xxxVETeVXd2I7dJX1vn.exe, PE32+ 8->67 dropped 69 C:\Users\...\tOuBvNZxpVabDYMdX8taRwPV.exe, PE32+ 8->69 dropped 71 C:\Users\...\s45RSViYZIL5r4IfsNbDJjQ4.exe, PE32 8->71 dropped 73 21 other malicious files 8->73 dropped 125 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->125 127 Creates HTML files with .exe extension (expired dropper behavior) 8->127 129 Disables Windows Defender (deletes autostart) 8->129 133 3 other signatures 8->133 19 7GTMbTvjXv2Zpb8Ut3_z8Vrc.exe 8->19         started        22 ywxh0xxxVETeVXd2I7dJX1vn.exe 8->22         started        26 IxGwwyqJEgLPNFds11NZFh4N.exe 8->26         started        28 12 other processes 8->28 93 51.124.78.146 MICROSOFT-CORP-MSN-AS-BLOCKUS United Kingdom 13->93 131 Query firmware table information (likely to detect VMs) 13->131 file5 signatures6 process7 dnsIp8 107 Writes to foreign memory regions 19->107 109 Allocates memory in foreign processes 19->109 111 Injects a PE file into a foreign processes 19->111 30 vbc.exe 19->30         started        75 87.240.132.78 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 22->75 77 45.15.156.229 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 22->77 83 4 other IPs or domains 22->83 49 C:\Users\...\ve2MWlfFMuU5GM41Q8us6mgV.exe, PE32+ 22->49 dropped 51 C:\Users\...\vZEokHkBSz4xlo3gMfhw0r4W.exe, PE32 22->51 dropped 53 C:\Users\...\vT7KaQi2vuDPGKEN09_bJyrR.exe, PE32 22->53 dropped 55 C:\Users\user\AppData\Local\...\super[1].exe, PE32 22->55 dropped 113 Disables Windows Defender (deletes autostart) 22->113 115 Disable Windows Defender real time protection (registry) 22->115 85 3 other IPs or domains 26->85 57 C:\Users\user\AppData\...\Secure Preferences, JSON 26->57 dropped 117 Tries to harvest and steal browser information (history, passwords, etc) 26->117 79 149.154.167.99 TELEGRAMRU United Kingdom 28->79 81 185.225.73.32 MAYAKBG Germany 28->81 87 8 other IPs or domains 28->87 59 C:\Zemana.sys, PE32+ 28->59 dropped 61 C:\Users\user\mvbmkzr.exe, PE32 28->61 dropped 63 C:\Users\...\CprwzdesBG1dMqc4J3YLRVr8.exe, PE32+ 28->63 dropped 65 6 other malicious files 28->65 dropped 119 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 28->119 121 Tries to steal Mail credentials (via file / registry access) 28->121 123 Tries to steal Crypto Currency Wallets 28->123 34 explorer.exe 28->34 injected 37 cmd.exe 28->37         started        39 cmd.exe 28->39         started        41 conhost.exe 28->41         started        file9 signatures10 process11 dnsIp12 97 176.123.9.142 ALEXHOSTMD Moldova Republic of 30->97 135 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 30->135 137 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 30->137 139 Tries to harvest and steal browser information (history, passwords, etc) 30->139 141 Tries to steal Crypto Currency Wallets 30->141 47 C:\Users\user\AppData\Roaming\djhwrgd, PE32 34->47 dropped 143 Benign windows process drops PE files 34->143 43 conhost.exe 37->43         started        45 conhost.exe 39->45         started        file13 signatures14 process15
Detection:
tofsee
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8770a893bc2ac58f0cdc6fc5c9b1499819215a26fbaf7b0915d3d75fefdae0dc/
Threat name:
Win64.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-08-31 19:05:08 UTC
File Type:
PE+ (Exe)
Extracted files:
454
AV detection:
16 of 38 (42.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q5ykre54flcy6dg4n7c4tmkjtamscwrg7oxxwciv2plv73624doa._file
Verdict:
malicious
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader loader spyware stealer vmprotect
Link:
https://tria.ge/reports/230831-xrhdjshe2v/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Drops file in System32 directory
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
VMProtect packed file
PrivateLoader
Unpacked files
SH256 hash:
8770a893bc2ac58f0cdc6fc5c9b1499819215a26fbaf7b0915d3d75fefdae0dc
MD5 hash:
91073c383c5828128cd16e14223fb59c
SHA1 hash:
1b86871962f18400a86e5db8d944a52647ded6b3
Link:
https://www.unpac.me/results/720a9504-8033-4479-850d-07f878b4521a/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8770a893bc2a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8770a893bc2ac58f0cdc6fc5c9b1499819215a26fbaf7b0915d3d75fefdae0dc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/445520/
  
URLhaus
https://urlhaus.abuse.ch/url/2708740/

Comments